Use of transaction terminals such as automatic teller machines (ATMs) which are operable at all hours has been widely accepted to satisfy needs for dispensing cash and performing other financial transactions at unmanned locations. The convenience of ATMs has made them extremely popular with the general public. Furthermore, owners of retail merchandise stores have found that the on-premise location of an ATM attracts customers into the retail location, which in turn increases the number of cash purchases by customers. As a result, ATMs are often located at locations remote from the associated financial institutions, such as banks. Such a distributed system of ATMs or other transaction terminals poses several intricate security problems.
The financial industry is particularly concerned about these security issues. For example, electronic funds transfer (EFT) systems that employ ATMs typically do not require the user's signature, which may be forged easily, on an instrument in order to perform a transaction. Rather, the user's secret personal identification number (PIN) and plastic bank card or transaction card serve the purpose of identifying and verifying the user to the EFT system. The PIN may be, for example, a four-digit number. Typically, after the user inserts his bank card into a slot in the ATM, the ATM prompts the user for his PIN. The user then enters his PIN into a keyboard associated with the ATM, which then compares the PIN with information stored in a database connected to the ATM. The transaction is allowed to proceed only if the comparison indicates that the proper PIN was entered.
Several security issues have arisen in connection with unauthorized persons obtaining the PIN and other account information of a legitimate customer. This situation is of particular concern because the unauthorized person can then gain access to the information stored in the private accounts of the legitimate customer as well as access to any funds stored in such accounts. In response to these concerns, the financial industry has employed various techniques to counter unauthorized uses of PIN numbers and bank cards. For example, it is known to use cryptographic operations in order to encode the PIN once the user has entered it into the keyboard associated with the ATM. Such techniques help prevent unauthorized persons from monitoring messages transmitted over network links and thereby obtaining PIN information.
Recently, highly sophisticated techniques have been used by unauthorized persons in order to obtain PIN and other account information. One such technique includes deploying a bogus ATM in a shopping mall or other public location. The bogus machine does not dispense cash when a customer inserts his bank or transaction card and enters his PIN. The machine does, however, retain and record the card account number and PIN which the customer entered in a vain attempt to make the machine dispense cash. The recorded information can then be used to create bogus plastic cards that simulate the action of the real bank cards. Together with the PINs recorded by the bogus machine, these cards can be used at legitimate ATMs to transfer or withdraw, for example, funds stored in other persons' bank accounts.
Schemes such as the one outlined above clearly indicate the need for a method of authenticating the ATM or other transaction terminal to a user or customer prior to his providing any secret or confidential information to the ATM or other transaction terminal.
Methods for authenticating hardware components to one another in a communication system by using cryptographic techniques are known in the art U.S. Pat. No. 4,799,061, "Secure Component Authentication System," issued to Abraham et al., for example, discloses one such method. These methods, however, do not provide for authenticating the components to a user or customer.
The problem of authenticating to a user a terminal that requires the user to enter confidential information has been previously recognized. One solution suggested in some references is to provide the user with a separate, personalized, portable terminal device. U.S. Pat. No. 4,529,870, "Cryptographic Identification, Financial Transactions, and Credential Device," for example, provides a cryptographic apparatus which may be utilized by its owner to identify himself to an external computer system, to perform various financial transactions with an external system, and to provide various kinds of credentials to an external system. In one embodiment, the apparatus is separable into a cryptographic device and a personal terminal device. The owner of the apparatus presumably has greater control over the personal terminal device, thereby making it less likely that confidential data would be improperly retained by a terminal such as a merchant's point of sale terminal. Such devices, however, require that additional hardware be incorporated into the card-like device and may require additional changes so that the device and other system components can communicate.